Ascertia: Using CSC API to increase interoperability and digital trust

By |

By Mike Hathaway, Chief Product Officer, Ascertia

The latest release of Ascertia’s ADSS Server is designed to put organisations in control of how people, devices and things interact with trust infrastructures and to control registration and vetting, for enrolment of new, update or revocation of existing digital certificates. Ascertia therefore decided to make use of the Cloud Signature Consortium (CSC) standards, enabling Trust Service Providers to establish signing services that are highly interoperable.

Addressing the Challenges of Establishing Trust Online

Establishing trust in online transactions is pivotal in any online interaction between client and customer. The establishment of this trust begins with proving the identity of an end entity. However, the quality of digital identity security varies, depending on the Trust Service Provider (TSPs) that issues them. These all have differing enrolment and identity vetting requirements; the higher the trust level, the more rigorous the vetting. We identify the following categories of TSPs, based on the type of certificates issued and their audit requirements:

  • TSP – the basic public Trust Service Provider
  • AATL – Adobe Approved Trust List Provider
  • QTSP – Qualified Trust Service Provider (additional audit requirements to comply with eIDAS regulations for legally binding digital signatures)
  • RSSP – Remote Signature Service Provider (encompassing all the above but also exposing different signing services).

Protecting Digital Identities

We’ve discussed levels of digital trust: Certificates can be issued at different assurance levels to different entities and organisations. The type of certificate will determine the provider you select and the type of vetting required. However, the certificate type will also determine the type of protection that is required to generate and store identity keys and certificates. This could be a cryptographic smartcard or token or even a Hardware Security Module or Remote Qualified Signature Creation Device. We differentiate these as different levels of assurance:

Basic or Simple

  • No cryptographic security
  • Simple mark in a document, check box or user drawn
  • Little security for document alteration

Advanced – Individual or e-seal signing certificates

  • Signatures based on private PKI
  • Software or hardware based keys
  • Local and remote signature support
  • AATL – Adobe Approved Trust List – Individual or e-seal signing certificates
  • Must be stored in a FIPS 140-2 Level 2 or 3 smartcard of hardware device (HSM)
  • Applicants must submit proof of identity that can be verified independently

EU Qualified – Individual or e-seal signing certification

  • Must be stored in a FIPS 140-2 Level 2 or 3 smartcard of hardware device (HSM)
  • Applicants must submit proof of identity that can be verified independently
  • Face to face or video vetting required

Interoperability between signing services and providers offers more choice to our clients when it comes to the type of digital identity and level of digital assurance that’s right for them. We ensure that whatever choice they make, digital identities will be duly established and protected.